Tag: cybersecurity

How to map the Cybersecurity Threat Landscape? Follow the ENISA 6-step Methodology

Agency News, Cyber Security CII sector, Industry News

The cybersecurity threat landscape methodology developed by the European Union Agency for Cybersecurity (ENISA) aims at promoting consistent and transparent threat intelligence sharing across the European Union.

With a cyber threat landscape in constant evolution, the need for updated and accurate information on the current situation is growing and this a key element for assessing relevant risks.

This is why ENISA releases today an open and transparent framework to support the development of threat landscapes.

The ENISA methodology aims to provide a baseline for the transparent and systematic delivery of horizontal, thematic and sectorial cybersecurity threat landscapes (CTL) thanks to a systematic and transparent process for data collection and analysis.

Who can benefit from this new methodology?

This new methodology is made available to ENISA’s stakeholders and to other interested parties who wish to generate their own cyber threat landscapes. Adopting and/or adapting the proposed new CTL framework will enhance their ability to build situational awareness, to monitor and to tackle existing and potential threats.

ENISA will also be using this new methodology to deliver an enhanced annual ENISA Threat Landscape (ETL). It will also be used to generate technical or sectorial threat landscapes.

How does the methodology work?

The framework is based on the different elements considered in the performance of the cybersecurity threat landscape analysis. It therefore includes the identification and definition of the process, methods and tools used as well as the stakeholders involved.

Building on the existing modus operandi, this methodology provides directions on the following:

- defining components and contents of each of the different types of CTL;
- assessing the target audience for each type of CTL to be performed;
- how data sources are collected;
- how data is analysed;
- how data is to be disseminated;
- how feedback is to be collected and analysed.

The ENISA methodology consists of six main steps with feedback foreseen and associated to each of these steps:

1. Direction;
2. Collection;
3. Processing;
4. Analysis and production;
5. Dissemination;
6. Feedback

This CTL methodology has been validated by the ENISA ad-hoc working group on the Cybersecurity Threat Landscape (CTL WG). The group consists of European and international experts from both public and private sector entities.

Leave a comment , , , ,

Cyber Insurance: Action Needed to Assess Potential Federal Response to Catastrophic Attacks

Agency News, Cyber Security CII sector, Industry News

U.S. critical infrastructure (such as utilities, financial services, and pipelines) faces increasing cybersecurity risks. Understanding these risks and associated vulnerabilities, threats, and impacts is essential to protecting critical infrastructure.

Cybersecurity Vulnerabilities, Threats, and Impacts

Vulnerabilities. Critical infrastructure has become more vulnerable to cyberattacks for reasons that include greater use of interconnected electronic systems.

Threats. Threat actors—such as nation-states, criminal groups, and terrorists—have become increasingly capable of carrying out cyberattacks on critical infrastructure.

Impacts. Federal and industry data indicate that cyberattacks—including those affecting critical infrastructure—generally have increased in frequency and cost.

Source: Prior GAO reports and GAO analysis of agency and industry documentation.

The effects of cyber incidents can spill over from the initial target to economically linked firms—magnifying damage to the economy. For example, in May 2021 the Colonial Pipeline Company learned that it was the victim of a cyberattack that led to short-lived gasoline shortages.

Cyber insurance and the Terrorism Risk Insurance Program (TRIP)—the government backstop for losses from terrorism—are both limited in their ability to cover potentially catastrophic losses from systemic cyberattacks. Cyber insurance can offset costs from some of the most common cyber risks, such as data breaches and ransomware. However, private insurers have been taking steps to limit their potential losses from systemic cyber events. For example, insurers are excluding coverage for losses from cyber warfare and infrastructure outages. TRIP covers losses from cyberattacks if they are considered terrorism, among other requirements. However, cyberattacks may not meet the program's criteria to be certified as terrorism, even if they resulted in catastrophic losses. For example, attacks must be violent or coercive in nature to be certified.

The Department of the Treasury's Federal Insurance Office (FIO) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) both have taken steps to understand the financial implications of growing cybersecurity risks. However, they have not assessed the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response. CISA is the primary risk advisor on critical infrastructure and FIO the federal monitor of the insurance sector. Accordingly, they are well-positioned to jointly perform such an assessment. Doing so and reporting the results to Congress can inform deliberations on whether a federal insurance response is warranted.

If such a response were deemed necessary, GAO's framework for providing federal assistance to private market participants (GAO-10-719) could help inform its design. The framework notes the need to define the problem, mitigate moral hazard (that the existence of a federal backstop could result in entities taking greater risks), and protect taxpayer interests. Consistent with these elements, any federal insurance response should include clear criteria for coverage, specific cybersecurity requirements, and a dedicated funding mechanism with concessions from all market participants.

Cyber threats to critical infrastructure represent a significant economic challenge. Although cyber incident costs are paid in part by the private cyber insurance market, growing cyber threats have created uncertainty in this evolving market.

The Further Consolidated Appropriations Act, 2020, includes a provision for GAO to study cyber risks to U.S. critical infrastructure and available insurance for these risks. This report examines the extent to which (1) cyber risks for critical infrastructure exist; (2) private insurance covers catastrophic cyber losses and TRIP provides a backstop for such losses; and (3) cognizant federal agencies have assessed a potential federal response for cyberattacks.

GAO reviewed cyber insurance coverage literature and reports on cyber risk and the insurance market. GAO interviewed CISA and FIO officials and industry stakeholders (e.g., critical infrastructure owners, insurers, and brokers) that were selected based on factors such as expertise and market share.

Cyber insurance can help offset costs of some common cyber risks, like data breaches or ransomware. But cyber risks are growing, and cyberattacks targeting critical infrastructure—like utilities or financial services—could affect entire systems and result in catastrophic financial loss.

Insurers and the government's terrorism risk insurance may not be able to cover such losses. For example, the government's insurance may only cover cyberattacks if they can be considered "terrorism" under its defined criteria.

CISA and FIO should jointly assess the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response, and inform Congress of the results of their assessment. Both agencies agreed with the recommendations.

Leave a comment , , , ,

NCSC joins industry to offer unprecedented protection for public from scams

Agency News, Cyber Security CII sector, Industry News

CITIZENS across the UK are set to benefit from a landmark partnership between government and industry which will see access to scam websites instantly blocked.

A new data sharing capability developed by the National Cyber Security Centre (NCSC) – a part of GCHQ – in collaboration with industry partners will present Internet Service Providers (ISPs) with real-time threat data that enables them to instantly block access to known fraudulent sites.

The new capability is being made available to all ISPs operating in the UK and will significantly bolster the nation’s ability to protect citizens from cyber criminals. In due course, even more defenders will be invited to join, including browser and manager service providers.

The NCSC has previously highlighted the problem of scam websites, including fake news pages where celebrities such as Ed Sheeran and Sir Richard Branson appear to be endorsing investment schemes that seek to trick people into parting with their money.

Leave a comment , , ,

Closer stakeholder cooperation essential for ransomware investigations to succeed

Agency News, Cyber Security CII sector, Industry News

The scale and impact of ransomware attacks have increased significantly over the past years, in part due to the COVID-19 pandemic. As such, the success of criminal investigations and prosecutions depends more than ever on close cross-border cooperation between public authorities, private companies and victims. Public-private cooperation is particularly valuable in such cases, as companies can preserve and provide the data and evidence investigators need to investigate crimes and identify criminals.

These are some of the main conclusions from the latest edition of the Cybercrime Judicial Monitor, featuring a special focus on ransomware investigations, published this month.

Cooperation between stakeholders in ransomware investigations is essential. This includes the reporting of ransomware attacks by victims, the preservation and possible analysis of digital evidence by private companies, and the investigation and prosecution by public authorities. The international dimension of investigations and the complexity of identifying criminals require early and close cross-border coordination between judicial and law enforcement authorities. Actions by each stakeholder group play a key role in the mitigation of damages, disruption of attacks and the identification and prosecution of perpetrators.

The report, based on practitioners’ input, highlights the challenges encountered in ransomware investigations. These include:

the loss of data and important e-evidence;
the criminal use of encryption and anonymisation techniques preventing the identification of suspects;
the complexity of investigations and the lack or delay of international coordination;
the absence of a harmonised data-retention legal framework; and
insufficient resources and expertise of law enforcement authorities.

Despite these obstacles, practitioners can learn from the many good practices showcased in the report. These include the swift notification of ransomware attacks to relevant authorities and the creation of technical reports by the victim or affected company. Continuous information exchange between the authorities and the victim/technical team has proved highly important. The provision of guidelines for public authorities on how to deal with ransomware attacks, as well as specialised training for police and judicial authorities, is also key.

The report underlines the successful use of joint investigation teams facilitated by Eurojust, which have led to the identification, arrest and prosecution of cybercriminals. The building of trust between public authorities and private companies by sharing information and regular communication is also essential. Although most countries do not have a specific legal framework for public-private cooperation, experience has shown that such frameworks have enabled ransomware investigations to succeed and that they are therefore much needed.

Leave a comment , , ,

Testing the Resilience of the European Healthcare Sector

Agency News, Health & Social Care

To ensure citizens’ trust in the medical services and infrastructure available to them, health services should function at all times. If health services and infrastructures in Europe were the object of a major cyber attack, how would we respond and coordinate at both national and EU level to mitigate the incidents and prevent an escalation?

This is the question Cyber Europe 2022 sought to answer using a fictitious scenario. Day one featured a disinformation campaign of manipulated laboratory results and a cyber attack targeting European hospital networks. On day two, the scenario escalated into an EU-wide cyber crisis with the imminent threat of personal medical data being released and another campaign designed to discredit a medical implantable device with a claim on vulnerability.

The Executive Director of the EU Agency for Cybersecurity, Juhan Lepassaar, said: “The complexity of our challenges is now proportionate to the complexity of our connected world. This is why I strongly believe we need to gather all the intelligence we have in the EU to share our expertise and knowledge. Strengthening our cybersecurity resilience is the only way forward if we want to protect our health services and infrastructures and ultimately the health of all EU citizens.”

The pan-European exercise organised by ENISA rallied a total of 29 countries from both the European Union and the European Free Trade Association (EFTA), as well as the EU agencies and institutions, including ENISA, the European Commission, the CERT of EU Institutions, bodies and agencies (CERT-EU), Europol and the European Medicine Agency (EMA). More than 800 cybersecurity experts were in action to monitor the availability and integrity of the systems over the two days of this latest edition of Cyber Europe.

Can we strengthen the cyber resilience of the EU healthcare?

The participants who engaged in the complex exercise were satisfied with the way the incidents were dealt with and the response to fictitious attacks.

Now, the analysis of the process and of the outcomes of the different aspects of the exercises need to be performed in order to get a realistic understanding of potential gaps or weaknesses which may require mitigation measures. Dealing with such attacks requires different levels of competences and processes which include efficient and coordinated information exchange, the sharing of knowledge around specific incidents and how to monitor a situation which is about to escalate in case of a generalised attack. The role of the EU level CSIRTs network and the draft standard operation processes (SOPs) of the CyCLONe group also need to be looked into.

The deeper analysis will be published in the after-action report. The findings will serve as a basis for future guidance and further enhancements to reinforce the resilience of the healthcare sector against cyber attacks in the EU.

Leave a comment , , , ,

NSA, CISA, and FBI Expose PRC State-Sponsored Exploitation of Network Providers, Devices

Agency News, Cyber Security CII sector

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) released a Cybersecurity Advisory (CSA) today, “People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices.” The advisory highlights how People’s Republic of China (PRC) actors have targeted and compromised major telecommunications companies and network service providers primarily by exploiting publicly known vulnerabilities. Networks affected have ranged from small office/home office (SOHO) routers to medium and large enterprise networks.

The PRC has been exploiting specific techniques and common vulnerabilities since 2020 to use to their advantage in cyber campaigns. Exploiting these vulnerabilities has allowed them to establish broad infrastructure networks to exploit a wide range of public and private sector targets.

General mitigations outlined in the advisory include: applying patches as soon as possible, disabling unnecessary ports and protocols, and replacing end-of-life network infrastructure. NSA, CISA, and FBI also recommend segmenting networks and enabling robust logging of internet-facing services and network infrastructure accesses.

The advisory is broken down into three sections: an explanation of common vulnerabilities exploited by PRC state-sponsored cyber actors, an introduction of how telecommunications and network service provider targeting occurred through open source and custom tools, and an overview of recommended mitigations.

Leave a comment , , ,

DOD Needs to Improve Performance Reporting and Cybersecurity and Supply Chain Planning

Agency News, Cyber Security CII sector, Industry News

For fiscal year 2022, DOD requested approximately $38.6 billion for its unclassified IT investments. These investments included programs such as communications and command and control systems. They also included major IT business programs, which are intended to help the department carry out key functions, such as financial management and health care.

The NDAA for FY 2019 included a provision for GAO to assess selected DOD IT programs annually through March 2023. GAO's objectives for this review were to (1) examine how DOD's portfolio of major IT acquisition business programs has performed; (2) determine the extent to which the department has implemented software development, cybersecurity, and supply chain risk management practices; and (3) describe actions DOD has taken to implement legislative and policy changes that could affect its IT acquisitions.

To address these objectives, GAO determined that DOD's major IT business programs were the 25 that DOD reported to the federal IT Dashboard as of December 2021 (The IT Dashboard is a public website that includes information on the performance of IT investments). GAO examined DOD's planned expenditures for these programs from fiscal years 2020 through 2022, as reported in the department's FY 2022 submission to the Dashboard.

GAO obtained the programs' operational performance data from the Dashboard and compared the data to OMB guidance. It also met with DOD CIO officials to determine reasons why programs were not reporting data in accordance with guidance.

In addition, GAO aggregated program office responses to a GAO questionnaire that requested information about cost and schedule changes that the programs experienced since January 2020.

GAO also aggregated DOD program office responses to the questionnaire that requested information about software development, cybersecurity, and supply chain risk management plans and practices. GAO compared the responses to relevant guidance and leading practices.

Further, GAO reviewed actions DOD has taken to implement its plans for addressing previously identified legislative and policy changes that could affect its IT acquisitions. This included reviewing information associated with the department's efforts to (1) finalize strategies for its business system and software acquisition pathways; (2) implement modern approaches to software development such as transitioning to Agile; and (3) reorganize the responsibilities of the former Chief Management Officer throughout the department. GAO met with relevant DOD officials to discuss each of the topics addressed in this report.

According to the Department of Defense's (DOD) fiscal year (FY) 2022 submission to the federal IT Dashboard, DOD planned to spend $8.8 billion on its portfolio of 25 major IT business programs between FY 2020 and 2022. In addition, 18 of the 25 programs reported experiencing cost or schedule changes since January 2020. Of these programs, 14 reported the extent to which program costs and schedules had changed, noting cost increases ranging from $0.1 million to $10.7 billion and schedule delays ranging from 5 to 19 months. Program officials attributed the changes to various factors, including requirement changes or delays, contract developments, and technical complexities.

Programs also reported operational performance data to the federal IT Dashboard. As of December 2021, the 25 programs collectively identified 172 operational performance metrics consistent with Office of Management and Budget (OMB) guidance. These metrics covered a range of performance indicators such as the timeliness of program deliverables and the percentage of time that systems were available to users. However, programs only reported progress on 77 of the 172 operational performance targets.

Nineteen programs did not fully report progress on their operational performance. Officials from the Office of the DOD CIO stated that programs that have operational performance measures should be reporting them to the Dashboard. They added that there were multiple factors that could have led to programs not reporting the metrics, including a reorganization that shifted responsibilities for IT investment management and confusion about the reporting requirement. Nevertheless, by reporting incomplete performance data, DOD limits Congress' and the public's understanding of how programs are performing.

As of February 2022, DOD program officials from all 11 (of the 25) major IT business programs that we considered to be actively developing new software functionality reported using recommended iterative development practices that can limit risks of adverse cost and schedule outcomes. Officials from eight of the 11 programs reported using Agile software development, which can support continuous iterative software development. Officials for five of the programs also reported delivering software functionality every 6 months or less, as called for in OMB guidance. Officials for three programs reported a frequency greater than 6 months and officials from the remaining three did not indicate a frequency.

In addition, as of February 2022, officials from the 25 major IT business programs reported on whether they had an approved cybersecurity strategy as required by DOD.

Officials from DOD CIO stated that they will follow up with the programs that did not provide an approved cybersecurity strategy. Until DOD ensures that these programs develop strategies, programs lack assuance that they are effectively positioned to manage cybersecurity risks and mitigate threats.

Officials from the 25 programs also reported on whether they had a system security plan that addresses information and communications technology (ICT) supply chain risk management, as called for by leading practices.

DOD guidance does not require programs to address ICT supply chain risk management in security plans. According to officials from DOD CIO, IT programs might address supply chain risk management in program protection plans. In addition, they noted that recent supply chain efforts have been focused on weapons systems. However, 15 of DOD's major IT programs did not demonstrate that they had a supply chain risk management plan. Until DOD ensures that these programs have such plans, they are less likely to be able to manage supply chain risks and mitigate threats that could disrupt operations.

Regarding actions to implement legislative and policy changes, the National Defense Authorization Act (NDAA) for FY 2021 eliminated the DOD chief management officer (CMO) position. This position previously had broad oversight responsibilities for DOD business systems. In September 2021, the Deputy Secretary of Defense directed a broad realignment of the responsibilities previously assigned to the CMO. GAO will continue to monitor DOD's efforts to redistribute the roles and responsibilities formerly assigned to the CMO.

Leave a comment , , ,

Coordinated Vulnerability Disclosure policies in the EU

Agency News, Cyber Security CII sector, Industry News

Vulnerability disclosure has become the focus of attention of cybersecurity experts engaged in strengthening the cybersecurity resilience of the European Union. The valid source of concern comes from the cybersecurity threats looming behind vulnerabilities, as demonstrated by the impact of the Log4Shell vulnerability.

Security researchers and ethical hackers constantly scrutinise ICT systems - both open source and commercial closed source software - to find weaknesses, misconfigurations, software vulnerabilities, etc. A wide range of issues are thus revealed: weak passwords, fundamental cryptographic flaws or deeply nested software bugs.

Identifying vulnerabilities is therefore essential if we want to prevent attackers from exploiting them. It is important to consider that attackers can always develop malware specially designed to exploit vulnerabilities disclosed to the public. Besides the identification itself, vendors can also be reluctant to acknowledge vulnerabilities as their reputation might be damaged as a consequence.

What is CVD?

Coordinated vulnerability disclosure (CVD) is a process by which vulnerabilities finders work together and share information with the relevant stakeholders such as vendors and ICT infrastructure owners.

CVD ensures that software vulnerabilities get disclosed to the public once the vendor has been able to develop a fix, a patch, or has found a different solution.

What are national CVD policies?

National CVD policies are national frameworks of rules and agreements designed to ensure:

researchers contact the right parties to disclose the vulnerability;
vendors can develop a fix or a patch in a timely manner;
researchers get recognition from their work and are protected from prosecution.

What is the situation in the EU?

The report published today maps the national CVD policies in place across the EU, compares the different approaches and, highlights good practices.

The analysis allows a wide disparity to be observed among Member States in relation to their level of CVD policy achievement. At the time the data used in the report was collected, only four Member States had already implemented such a CVD policy, while another four of them were about to do so. The remaining Member States are split into two groups: those currently discussing how to move forward and those who have not yet reached that stage.

What are ENISA’s recommendations to promote CVD?

The main recommendations from the analysis of nineteen EU Member States include:

Amendments to criminal laws and to the Cybercrime Directive to offer legal protection to security researchers involved in vulnerability discovery;
the definition of specific criteria for a clear-cut distinction between “ethical hacking” and “black hats” activities prior to establishing any legal protection for security researchers;
incentives to be developed for security researchers to actively participate in CVD research, either through national or European bug bounty programmes, or through promoting and conducting cybersecurity training.

Apart from the above, additional recommendations are issued in relation to the economic and polical challenges and also address operational and crisis management activities.

Next steps

The Commission’s proposal for the revision of the Network and Information Security Directive or NIS2 proposal, provides for EU countries to implement a national CVD policy. ENISA will be supporting the EU Member States with the implementation of this provision and will be developing a guideline to help EU Member States establish their national CVD policies.

In addition, ENISA will need to develop and maintain an EU Vulnerability database (EUVDB). The work will complement the already existing international vulnerability databases. ENISA will start discussing the implementation of the database with the European Commission and the EU Member States after the adoption of the NIS2 proposal.

Background material

The report builds upon previous work performed by ENISA in the field of vulnerabilities. ENISA issued a report on good practices on vulnerability disclosure in 2016, and the economic impact of vulnerabilites was explored in detail in 2018. In addition, the limitations and opportunities of the vulnerability ecosystem were analysed in the ENISA 2018/2019 State of Vulnerabilities report.

Leave a comment ,

NSA, Allies Issue Cybersecurity Advisory on Weaknesses that Allow Initial Access

Agency News, Cyber Security CII sector, Industry News

The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the FBI, along with allied nations, published a Cybersecurity Advisory today to raise awareness about the poor security configurations, weak controls and other poor network hygiene practices malicious cyber actors use to gain initial access to a victim’s system.

“Weak Security Controls and Practices Routinely Exploited for Initial Access” also includes best practices that can help organizations strengthen their defenses against this malicious activity.

“As long as these security holes exist, malicious cyber actors will continue to exploit them,” said NSA Cybersecurity Director Rob Joyce. “We encourage everyone to mitigate these weaknesses by implementing the recommended best practices.”

Some of the most common weaknesses include not enforcing multifactor authentication, incorrectly applying privileges or permissions and errors within access control lists and not keeping software up to date. The advisory recommends mitigations that control access, harden credentials, establish centralized log management and more.

CISA produced the advisory with help from NSA and other partners. That includes the FBI, the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team (CERT NZ), the Netherlands National Cyber Security Centre (NCSC-NL), and the United Kingdom National Cyber Security Centre (NCSC-UK) on the advisory. Many of the same cybersecurity authorities collaborated to release a complementary advisory on 27 April, which highlighted the top routinely exploited vulnerabilities from 2021.

Leave a comment ,

UK joins international cyber agency partners to release supply chain guidance

Agency News, Cyber Security CII sector, Industry News

THE UK and its international partners have today (Wednesday) issued advice to IT service providers and their customers as part of wider efforts to protect organisations in the wake of Russia’s invasion of Ukraine.

The joint advisory from the National Cyber Security Centre (NCSC) – a part of GCHQ – and its partners sets out a series of practical steps for managed service providers (MSPs) and their customers.

The advisory has been issued alongside the US’s Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), National Security Agency (NSA), and Federal Bureau of Investigation (FBI).

It is being released on the second day of the NCSC’s CYBERUK conference in Wales, which a number of these partners are attending.

MSPs provide IT support to their customers in various ways, for example through software or cyber security services, and in order to do so they are granted privileged access to a customer’s network.

This can create opportunities for attackers, who can gain access to an organisation’s network by compromising their MSPs.

One of the most significant examples of these supply chain attacks was that carried out in 2020 against US software company Solarwinds, which impacted customers throughout the world.

Organisations are being encouraged to consider the advisory, Protecting Against Cyber Threats to Managed Service Providers and their Customers, in conjunction with guidance from the NCSC and others in relation to the heightened tensions as a result of events in Ukraine.

NCSC CEO Lindy Cameron said:

“We are committed to further strengthening the UK’s resilience, and our work with international partners is a vital part of that.

“Our joint advisory with international partners is aimed at raising organisations’ awareness of the growing threat of supply chain attacks and the steps they can take to reduce their risk.”

CISA Director Jen Easterly said:

“I strongly encourage both managed service providers and their customers to follow this and our wider guidance – ultimately this will help protect not only them but organisations globally.

“As this advisory makes clear, malicious cyber actors continue to target managed service providers, which is why it’s critical that MSPs and their customers take recommended actions to protect their networks.

“We know that MSPs that are vulnerable to exploitation significantly increases downstream risks to the businesses and organisations they support. Securing MSPs are critical to our collective cyber defense, and CISA and our interagency and international partners are committed to hardening their security and improving the resilience of our global supply chain.”

Abigail Bradshaw CSC, Head of the Australian Cyber Security Centre, said:

“Managed Service Providers are vital to many businesses and as a result, a major target for malicious cyber actors.

“These actors use them as launch pads to breach their customers’ networks, which we see are often compromised through ransomware attacks, business email compromises and other methods. Effective steps can be taken to harden their own networks and to protect their client information. We encourage all MSPs to review their cyber security practices and implement the mitigation strategies outlined in this Advisory.”

Sami Khoury, Head, Canadian Centre for Cyber Security, said:

“We’ve seen the damage and impact cyber compromises can have on supply chains, managed service providers, and their customers.

“These compromises can result in costly mitigation activities and lengthy downtime for clients. We strongly encourage organizations to read this advisory and implement these guidelines as appropriate.”

Lisa Fong, Director of NZ NCSC, said:

“Supply chain vulnerabilities are amongst the most significant cyber threats facing organisations today.

“As organisations strengthen their own cyber security, their exposure to cyber threats in their supply chain increasingly becomes their weakest point. Organisations need to ensure they are implementing effective controls to mitigate the risk of cyber security vulnerabilities being introduced to their systems via technology suppliers such as managed service providers. They also need to be prepared to effectively respond to when issues arise.”

Rob Joyce, Director NSA, said:

“This joint guidance will help MSPs and customers engage in meaningful discussions on the responsibilities of securing networks and data.

“Our recommendations cover actions such as preventing initial compromises and managing account authentication and authorization.”

Bryan Vorndran, Cyber Division Assistant Director FBI, said:

“Through this joint advisory, the FBI, together with our federal and international partners, aims to encourage action by MSPs and their customers, as malicious cyber actors continue to target this vector for entry to threaten networks, businesses, and organisations globally.

“These measures and controls should be implemented to ensure hardening of security and minimise potential harm to victims.”

A range of steps are set out for MSPs and their customers in the latest advisory, including:

Organisations should store their most important logs for at least six months, given incidents can take months to detect.
MSPs should recommend the adoption of multi-factor authentication (MFA) across all customer services and products, while customers should ensure that their contractual arrangements mandate the use of MFA on the services and products they receive.
Organisations should update software, including operating systems, applications, and firmware, and prioritise the patching of known exploited vulnerabilities.

The advisory makes clear that organisations should implement these guidelines as appropriate to their unique environments, in accordance with their specific security needs, and in compliance with applicable regulations.

Leave a comment , ,
1 4 5 6 7 8 17